The European Union’s General Data Protection Regulation, or GDPR as it is often called, is due to come into effect on May 25th, leaving only 10 business days for organizations to comply. While the new regulations are meant to protect the consumer and their data, there has been a new trend of cyber criminals taking advantage of GDPR to do just the opposite.
In order to be GDPR compliant, organizations must update their data policies and make the changes clear to their customers, usually by emailing them a statement. Cyber-criminals are aware of the influx of emails regarding GDPR consumers will be receiving and have begun using them as a template for their phishing attacks.
Airbnb customers have been the first targeted with this new technique, although customers for the bitcoin exchange service, Poloniex, have also reported seeing these phishing emails. Currently these attacks are only looking to steal personal information like credit card numbers, however they can be easily morphed into something more sinister by tricking the user into downloading malware instead.
The Airbnb attacks seem to be targeting corporate emails, most likely scraped from the web, and are using a domain that looks like Airbnb’s official domain (@mail.airbnb.work). The fake emails also use the official Airbnb logo in order to create a sense of authenticity. Below is a side by side comparison of the legitimate Airbnb GDPR statement and the circulated phishing email.
When one click from an employee can jeopardize the organization’s entire IT infrastructure, it is important that not only are users trained on how to identify a phishing email, but also that organizations are doing everything they can to prevent these emails from reaching the users’ mailboxes.
The Email Laundry’s Full-Stack Email Security Service is the highest rated Secure Email Gateway on Gartner Peer Insights and offers protection against looks-like domains similar to the one used in these attacks. For added protection, customers can also enable The Email Laundry’s Advanced Threat Protection which protects from malware embedded in attachments, landing pages, and URLs.